MODBUS Application Protocol 1.1b System Information Remote Disclosure

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.

This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.

6.21 43 / 14 (0x2B / 0x0E) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems: